Solved: Need help with Untrusted VPN Server Certificate warning.

benrad · ‎01-22-2013

I've been over the many other posts on this issue, and they all seem a little different, so I started my own thread.

I have deployed AnyConnect 3.1.02026 to my users via the ASA, and we all get the Untrusted VPN Server Cert warning when connecting.

When the ASA deploys the client, it puts the outside IP of the ASA as the hostname, which is causing the error.

So I have two questions: 1. How do I get the ASA to make the hostname "vpn.cfo.com" when a user installs the client and 2. How do I change my cert so it doesn't show the internal name of the ASA and uses "vpn.cfo.com" instead?

Here's all the info anyone should need to help (I think)

ssl trust-point ASDM_TrustPoint0 OUTSIDE_PRIMARY

Certificate

Status: Available

Certificate Serial Number: *********

Certificate Usage: Signature

Public Key Type: RSA (1024 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

hostname=ambossfw01.cfopub.net

cn=ambossfw01

Subject Name:

hostname=ambossfw01.cfopub.net

cn=ambossfw01

Validity Date:

start date: 15:17:42 EDT Jun 2 2011

end date: 15:17:42 EDT May 30 2021

Associated Trustpoints: ASDM_TrustPoint0

CA Certificate

Status: Available

Certificate Serial Number: ******************************

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

cn=VeriSign Class 3 Public Primary Certification Authority - G5

ou=VeriSign Trust Network

o=VeriSign\, Inc.

c=US

Subject Name:

cn=VeriSign Class 3 Secure Server CA - G3

ou=Terms of use at https://www.verisign.com/rpa (c)10

ou=VeriSign Trust Network

o=VeriSign\, Inc.

c=US

OCSP AIA:

URL: http://ocsp.verisign.com

CRL Distribution Points:

[1] http://crl.verisign.com/pca3-g5.crl

Validity Date:

start date: 19:00:00 EST Feb 7 2010

end date: 18:59:59 EST Feb 7 2020

Associated Trustpoints: _SmartCallHome_ServerCA

Any help would be greatly appreciated.

malshbou · ‎01-26-2013

Hi,

Cisco has made strict verification of KU and EKU in recent AnyConnect releases, this leads to the warning you got.

To my knowledge, if you downgrade to 3.1.00495, you will not get this warning, otherwise, you need to get valid KU and EKU fields in your ASA certificate.

To use specific trustpoint, please check the command "ssl truspoint " from the global config mode.

Mashal

------------------ Mashal Shboul

View solution in original post

Jennifer Halim · ‎01-22-2013

Create a new self signed certificate by creating a new trustpoint, and when you create the certificate, configure the subject-name to be

"CN=vpn.cfo.com" as follows:

subject-name CN=vpn.cfo.com

Then apply the newly created trustpoint to the outside interface.

Here is a URL for your reference to generate the self signed certificate with the correct CN:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

Hope that helps.

benrad · ‎01-23-2013

That looks like what I need, because apparently I was digging around in the wrong place. I've configured the new cert and now I need to reload the ASA (tonight).

Thanks for your help!

benrad · ‎01-25-2013

I followed all the directions, but unfortunately I'm still getting the warning. This time it gives me the correct FQDN in the warning, so I'm not really sure what the problem is. It still says that the cert is untrusted.

Any other ideas?

Thanks.

Karsten Iwen · ‎01-25-2013

The actual AnyConnect uses new settings that control the "extended key-usage" in the certificate. Sadly, certificates with that field can't be configured locally on the ASA. You should deploy a certificate from a public CA. There are many cheap CAs and even some with free certificates.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

benrad · ‎01-25-2013

Thanks, I will try that out.

benrad · ‎01-25-2013

I created a public cert using CACert.org, installed it, and I'm still getting the "Certificate is from an untrusted source" error. This is progress, but it still requires the user to check the trust box and then connect. The higher-ups want it to be seamless with is a little interaction as possible. What step did I miss if I'm getting the untrusted source error?

benrad · ‎01-25-2013

Additional info: I noticed that the CAcert.org CA cert that I installed is associated with Trustpoint3, while the new Identity Certificate is associated with TrustPoint2. Is this the problem? How do I associate the CA cert from CAcert.org with TrustPoint2? I don't recall ever getting an option to do this.

malshbou · ‎01-26-2013

Hi,

Cisco has made strict verification of KU and EKU in recent AnyConnect releases, this leads to the warning you got.

To my knowledge, if you downgrade to 3.1.00495, you will not get this warning, otherwise, you need to get valid KU and EKU fields in your ASA certificate.

To use specific trustpoint, please check the command "ssl truspoint " from the global config mode.

Mashal

------------------ Mashal Shboul

benrad · ‎01-29-2013

It turns out I needed to use a legit SSL cert, and not use the self-signed cert. So I bought one, and everything works now.

Vihren Todorov · ‎03-17-2013

I am having the same issue.

where did you buy your new certificate from?

bbranham · ‎11-02-2013

https://secure.comodo.net/products/frontpage?reseller=y&ap=BranhamITSolutionsLLC&area=SSL&product=488&days=365